treewide: don't reference <secrets> explicitly

2023-09-11 15:31:13 +02:00 · 2023-09-11 15:31:13 +02:00 · 5370e04857
parent 8fc162ee3d
commit 5370e04857
28 changed files with 44 additions and 39 deletions
--- a/kartei/makefu/default.nix
+++ b/kartei/makefu/default.nix
@ -51,7 +51,7 @@
      ssh.pubkey = readFile pubkey-path;
      # We assume that if the sshd pubkey exits then there must be a privkey in
      # the screts store as well
-      ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
+      ssh.privkey.path = "${config.krebs.secret.directory}/ssh_host_ed25519_key";
    })
    host
  ];
--- a/kartei/tv/default.nix
+++ b/kartei/tv/default.nix
@ -43,7 +43,7 @@ in {
        })
        (host: mkIf (host.config.ssh.pubkey != null) {
          ssh.privkey = mapAttrs (const mkDefault) {
-            path = config.krebs.secret.file "ssh.id_${host.config.ssh.privkey.type}";
+            path = "${config.krebs.secret.directory}/ssh.id_${host.config.ssh.privkey.type}";
            type = head (toList (builtins.match "ssh-([^ ]+) .*" host.config.ssh.pubkey));
          };
        })
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@ -22,7 +22,7 @@
  ];
  krebs.build.host = config.krebs.hosts.hotdog;
-  krebs.hosts.hotdog.ssh.privkey.path = <secrets/ssh.id_ed25519>;
+  krebs.hosts.hotdog.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519";
  krebs.pages.enable = true;
  boot.isContainer = true;
--- a/krebs/1systems/puyak/config.nix
+++ b/krebs/1systems/puyak/config.nix
@ -113,7 +113,7 @@
  ];
  krebs.build.host = config.krebs.hosts.puyak;
-  krebs.hosts.puyak.ssh.privkey.path = <secrets/ssh.id_ed25519>;
+  krebs.hosts.puyak.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519";
  sound.enable = false;
  boot = {
--- a/krebs/1systems/wolf/config.nix
+++ b/krebs/1systems/wolf/config.nix
@ -51,7 +51,7 @@ in
  # uninteresting stuff
  #####################
  krebs.build.host = config.krebs.hosts.wolf;
-  krebs.hosts.wolf.ssh.privkey.path = <secrets/ssh.id_ed25519>;
+  krebs.hosts.wolf.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519";
  boot.initrd.availableKernelModules = [
    "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk"
--- a/krebs/2configs/cache.nsupdate.info.nix
+++ b/krebs/2configs/cache.nsupdate.info.nix
@ -9,7 +9,7 @@ in {
    enable = true;
    server = "ipv4.nsupdate.info";
    username = domain;
-    password = import ((toString <secrets>) + "/nsupdate-cache.nix");
+    password = import "${config.krebs.secret.directory}/nsupdate-cache.nix";
    domains = [ domain ];
    use= "if, if=et0";
    # use = "web, web=http://ipv4.nsupdate.info/myip";
--- a/krebs/2configs/matterbridge.nix
+++ b/krebs/2configs/matterbridge.nix
@ -2,7 +2,7 @@
  services.matterbridge = {
    enable = true;
    configPath = let
-      bridgeBotToken = lib.strings.fileContents <secrets/telegram.token>;
+      bridgeBotToken = lib.strings.fileContents "${config.krebs.secret.directory}/telegram.token";
    in
      toString ((pkgs.formats.toml {}).generate "config.toml" {
        general = {
--- a/krebs/2configs/secret-passwords.nix
+++ b/krebs/2configs/secret-passwords.nix
@ -1,7 +1,7 @@
-{ lib, ... }:
+{ config, lib, ... }:
 with lib;
 {
  users.extraUsers =
    mapAttrs (_: h: { hashedPassword = h; })
-             (import <secrets/hashedPasswords.nix>);
+             (import "${config.krebs.secret.directory}/hashedPasswords.nix");
 }
--- a/krebs/2configs/shack/gitlab-runner.nix
+++ b/krebs/2configs/shack/gitlab-runner.nix
@ -1,4 +1,4 @@
-{ pkgs,lib, ... }:
+{ config, lib, pkgs, ... }:
 {
  boot.kernel.sysctl."net.ipv4.ip_forward" = true;
  services.gitlab-runner = {
@ -10,7 +10,7 @@
        # File should contain at least these two variables:
        # `CI_SERVER_URL`
        # `REGISTRATION_TOKEN`
-        registrationConfigFile = toString <secrets/shackspace-gitlab-ci>;
+        registrationConfigFile = "${config.krebs.secret.directory}/shackspace-gitlab-ci";
        dockerImage = "alpine";
        dockerVolumes = [
          "/nix/store:/nix/store:ro"
--- a/krebs/2configs/shack/grafana.nix
+++ b/krebs/2configs/shack/grafana.nix
@ -1,7 +1,6 @@
-let
+{ config, ... }: let
  port = 3000;
 in {
  networking.firewall.allowedTCPPorts = [ port ]; # legacy
  services.nginx.virtualHosts."grafana.shack" = {
    locations."/" = {
@ -25,6 +24,6 @@ in {
    users.allowOrgCreate = true;
    users.autoAssignOrg = true;
    auth.anonymous.enable = true;
-    security = import <secrets/grafana_security.nix>;
+    security = import "${config.krebs.secret.directory}/grafana_security.nix";
  };
 }
--- a/krebs/2configs/shack/muell_caller.nix
+++ b/krebs/2configs/shack/muell_caller.nix
@ -21,7 +21,7 @@ let
      install -m755 -D call.py  $out/bin/call-muell
    '';
  };
-  cfg = "${toString <secrets>}/tell.json";
+  cfg = "${config.krebs.secret.directory}/tell.json";
 in {
  systemd.services.call_muell = {
    description = "call muell";
--- a/krebs/2configs/shack/muell_mail.nix
+++ b/krebs/2configs/shack/muell_mail.nix
@ -9,7 +9,7 @@ let
      sha256 = "0hgchwam5ma96s2v6mx2jfkh833psadmisjbm3k3153rlxp46frx";
    }) { mkYarnPackage = pkgs.yarn2nix-moretea.mkYarnPackage; };
    home = "/var/lib/muell_mail";
-    cfg = toString <secrets/shack/muell_mail.js>;
+    cfg = "${config.krebs.secret.directory}/shack/muell_mail.js";
 in {
  users.users.muell_mail = {
    inherit home;
--- a/krebs/2configs/shack/prometheus/unifi.nix
+++ b/krebs/2configs/shack/prometheus/unifi.nix
@ -5,6 +5,6 @@
    unifiAddress = "https://unifi.shack:8443/";
    unifiInsecure = true;
    unifiUsername = "prometheus"; # needed manual login after setup to confirm the password
-    unifiPassword = lib.replaceStrings ["\n"] [""] (builtins.readFile <secrets/shack/unifi-prometheus-pw>);
+    unifiPassword = lib.replaceStrings ["\n"] [""] (builtins.readFile "${config.krebs.secret.directory}/shack/unifi-prometheus-pw");
  };
 }
--- a/krebs/2configs/shack/s3-power.nix
+++ b/krebs/2configs/shack/s3-power.nix
@ -10,7 +10,7 @@ let
    }) { mkYarnPackage = pkgs.yarn2nix-moretea.mkYarnPackage; };
    home = "/var/lib/s3-power";
-    cfg = toString <secrets/shack/s3-power.json>;
+    cfg = "${config.krebs.secret.directory}/shack/s3-power.json";
 in {
  users.users.s3_power = {
    inherit home;
--- a/krebs/3modules/retiolum-bootstrap.nix
+++ b/krebs/3modules/retiolum-bootstrap.nix
@ -22,8 +22,8 @@ in
        default = "${config.krebs.secret.directory}/tinc.krebsco.de.key";
    };
    # in use:
-    #  <secrets/tinc.krebsco.de.crt>
+    #  ${config.krebs.secret.directory}/tinc.krebsco.de.crt
-    #  <secrets/tinc.krebsco.de.key>
+    #  ${config.krebs.secret.directory}/tinc.krebsco.de.key
  };
  config = mkIf cfg.enable {
--- a/krebs/3modules/secret.nix
+++ b/krebs/3modules/secret.nix
@ -7,13 +7,17 @@ in {
      default = toString <secrets>;
      type = types.absolute-pathname;
    };
    file = mkOption {
      default = relpath: "${cfg.directory}/${relpath}";
      readOnly = true;
    };
    files = mkOption {
      type = with pkgs.stockholm.lib.types; attrsOf secret-file;
      default = {};
      apply = mapAttrs (name: secret-file:
        if types.absolute-pathname.check secret-file.source-path then
          secret-file
        else
          secret-file // {
            source-path = "${config.krebs.secret.directory}/secret-file.source-path";
          }
      );
    };
  };
  config = lib.mkIf (cfg.files != {}) {
--- a/krebs/5pkgs/simple/generate-secrets/default.nix
+++ b/krebs/5pkgs/simple/generate-secrets/default.nix
@ -39,7 +39,7 @@ pkgs.writers.writeDashBin "generate-secrets" ''
          };
        };
      };
-      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.privkey.path = "\''${config.krebs.secret.directory}/ssh.id_ed25519";
      ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)";
    };
  EOF
--- a/lib/types.nix
+++ b/lib/types.nix
@ -340,7 +340,7 @@ rec {
      };
      source-path = mkOption {
        type = str;
-        default = toString <secrets> + "/${config.name}";
+        default = config.name;
        defaultText = "‹secrets/‹name››";
      };
    };
--- a/tv/2configs/binary-cache/default.nix
+++ b/tv/2configs/binary-cache/default.nix
@ -11,7 +11,7 @@
  services.nix-serve = {
    enable = true;
-    secretKeyFile = toString <secrets> + "/nix-serve.key";
+    secretKeyFile = "${config.krebs.secret.directory}/nix-serve.key";
  };
  services.nginx = {
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@ -10,7 +10,6 @@ with import ./lib;
  networking.hostName = config.krebs.build.host.name;
  imports = [
    <secrets>
    ./backup.nix
    ./bash
    ./htop.nix
@ -28,6 +27,11 @@ with import ./lib;
        defaultUserShell = "/run/current-system/sw/bin/bash";
        mutableUsers = false;
        users = {
          root = {
            openssh.authorizedKeys.keys = [
              config.krebs.users.tv.pubkey
            ];
          };
          tv = {
            inherit (config.krebs.users.tv) home uid;
            isNormalUser = true;
--- a/tv/2configs/gitrepos.nix
+++ b/tv/2configs/gitrepos.nix
@ -178,9 +178,7 @@ with import ./lib;
          '';
        };
      };
-    } //
+    }
    # TODO don't put secrets/repos.nix into the store
    import <secrets/repos.nix> { inherit config lib pkgs; }
  );
  irc-announce = args: pkgs.git-hooks.irc-announce (recursiveUpdate {
--- a/tv/2configs/initrd/sshd.nix
+++ b/tv/2configs/initrd/sshd.nix
@ -12,6 +12,6 @@
    ignoreEmptyHostKeys = true;
  };
  boot.initrd.secrets = {
-    "/etc/ssh/ssh_host_rsa_key" = <secrets/initrd/ssh_host_rsa_key>;
+    "/etc/ssh/ssh_host_rsa_key" = "${config.krebs.secret.directory}/initrd/ssh_host_rsa_key";
  };
 }
--- a/tv/2configs/ppp.nix
+++ b/tv/2configs/ppp.nix
@ -1,7 +1,7 @@
 with import ./lib;
 { config, pkgs, ... }: let
  cfg = {
-    pin = "@${toString <secrets/o2.pin>}";
+    pin = "@${config.krebs.secret.directory}/o2.pin";
    ttys.ppp = "/dev/ttyACM0";
    ttys.com = "/dev/ttyACM1";
  };
--- a/tv/2configs/wiregrill.nix
+++ b/tv/2configs/wiregrill.nix
@ -12,7 +12,7 @@ in
        optional (cfg.net.ip4 != null) cfg.net.ip4.addr ++
        optional (cfg.net.ip6 != null) cfg.net.ip6.addr;
      listenPort = 51820;
-      privateKeyFile = (toString <secrets>) + "/wiregrill.key";
+      privateKeyFile = "${config.krebs.secret.directory}/wiregrill.key";
      allowedIPsAsRoutes = true;
      peers = mapAttrsToList
        (_: host: {
--- a/tv/3modules/charybdis/default.nix
+++ b/tv/3modules/charybdis/default.nix
@ -17,11 +17,11 @@ in {
    };
    ssl_dh_params = mkOption {
      type = types.absolute-pathname;
-      default = toString <secrets> + "/charybdis.dh.pem";
+      default = "${config.krebs.secret.directory}/charybdis.dh.pem";
    };
    ssl_private_key = mkOption {
      type = types.absolute-pathname;
-      default = toString <secrets> + "/charybdis.key.pem";
+      default = "${config.krebs.secret.directory}/charybdis.key.pem";
    };
    sslport = mkOption {
      type = types.int;
--- a/tv/3modules/ejabberd/default.nix
+++ b/tv/3modules/ejabberd/default.nix
@ -20,7 +20,7 @@ in {
    certfiles = mkOption {
      type = types.listOf types.absolute-pathname;
      default = [
-        (toString <secrets> + "/ejabberd.pem")
+        "${config.krebs.secret.directory}/ejabberd.pem"
      ];
    };
    configFile = mkOption {
--- a/tv/3modules/wwan.nix
+++ b/tv/3modules/wwan.nix
@ -19,7 +19,7 @@ with import ./lib;
    };
    tv.wwan.secrets = mkOption {
      type = with types; pathname;
-      default = toString <secrets/wwan.json>;
+      default = "${config.krebs.secret.directory}/wwan.json";
      # format: {"pin1":number}
    };
  };
--- a/tv/3modules/x0vncserver.nix
+++ b/tv/3modules/x0vncserver.nix
@ -9,7 +9,7 @@ in {
    };
    enable = mkEnableOption "tv.x0vncserver";
    pwfile = mkOption {
-      default = toString <secrets> + "/vncpasswd";
+      default = "${config.krebs.secret.directory}/vncpasswd";
      description = ''
        Use vncpasswd to edit pwfile.
        See: nix-shell -p tigervnc --run 'man vncpasswd'